3.1. Coordinator Kerberos Authentication

3.1. Coordinator Kerberos Authentication

The Presto coordinator can be configured to enable Kerberos authentication over
HTTPS for clients, such as the Presto CLI, or the
JDBC and ODBC drivers.

To enable Kerberos authentication for Presto, configuration changes are made on
the Presto coordinator. No changes are required to the worker configuration;
the worker nodes will continue to connect to the coordinator over
unauthenticated HTTP. However, if you want to secure the communication between
Presto nodes with SSL/TLS, configure Secure Internal Communication.

Environment Configuration

Kerberos Services

You will need a Kerberos KDC running on a
node that the Presto coordinator can reach over the network. The KDC is
responsible for authenticating principals and issuing session keys that can be
used with Kerberos-enabled services. KDCs typically run on port 88, which is
the IANA-assigned port for Kerberos.

MIT Kerberos Configuration

Kerberos needs to be configured on the Presto coordinator. At a minimum, there needs
to be a kdc entry in the [realms] section of the /etc/krb5.conf
file. You may also want to include an admin_server entry and ensure that
the Presto coordinator can reach the Kerberos admin server on port 749.

The complete documentation
for krb5.conf is hosted by the MIT Kerberos Project. If you are using a
different implementation of the Kerberos protocol, you will need to adapt the
configuration to your environment.

Kerberos Principals and Keytab Files

The Presto coordinator needs a Kerberos principal, as do users who are going to
connect to the Presto coordinator. You will need to create these users in
Kerberos using kadmin.

In addition, the Presto coordinator needs a keytab file. After you create the principal, you can create the keytab file using kadmin

Running ktadd randomizes the principal’s keys. If you have just
created the principal, this does not matter. If the principal already exists,
and if existing users or services rely on being able to authenticate using a
password or a keytab, use the -norandkey option to ktadd.

Java Cryptography Extension Policy Files

The Java Runtime Environment is shipped with policy files that limit the
strengh of the cryptographic keys that can be used. Kerberos, by default, uses
keys that are larger than those supported by the included policy files. There
are two possible solutions to the problem:

Update the JCE policy files.

Configure Kerberos to use reduced-strength keys.

Of the two options, updating the JCE policy files is recommended. The JCE
policy files can be downloaded from Oracle. Note that the JCE policy files vary
based on the major version of Java you are running. Java 6 policy files will
not work with Java 8, for example.

The Java 8 policy files are available here.
Instructions for installing the policy files are included in a README file in
the ZIP archive. You will need administrative access to install the policy
files if you are installing them in a system JRE.

Java Keystore File for TLS

When using Kerberos authentication, access to the Presto coordinator should be
through HTTPS. You can do it by creating a Java Keystore File for TLS on the
coordinator.

System Access Control Plugin

A Presto coordinator with Kerberos enabled will probably need a
System Access Control plugin to achieve
the desired level of security.

Presto Coordinator Node Configuration

You must make the above changes to the environment prior to configuring the
Presto coordinator to use Kerberos authentication and HTTPS. After making the
following environment changes, you can make the changes to the Presto
configuration files.

Authentication type for the Presto
coordinator. Must be set to KERBEROS.

http.server.authentication.krb5.service-name

The Kerberos server name for the Presto coordinator.
Must match the Kerberos principal.

http.server.authentication.krb5.keytab

The location of the keytab that can be used to
authenticate the Kerberos principal specified in
http.server.authentication.krb5.service-name.

http.authentication.krb5.config

The location of the Kerberos configuration file.

http-server.https.enabled

Enables HTTPS access for the Presto coordinator.
Should be set to true.

http-server.https.port

HTTPS server port.

http-server.https.keystore.path

The location of the Java Keystore file that will be
used to secure TLS.

http-server.https.keystore.key

The password for the keystore. This must match the
password you specified when creating the keystore.

Note

Monitor CPU usage on the Presto coordinator after enabling HTTPS. Java will
choose CPU-intensive cipher suites by default. If the CPU usage is
unacceptably high after enabling HTTPS, you can configure Java to use
specific cipher suites by setting the http-server.https.included-cipher
property:

access-controls.properties

At a minimum, an access-control.properties file must contain an
access-control.name property. All other configuration is specific
for the implementation being configured.
See System Access Control for details.

Troubleshooting

Getting Kerberos authentication working can be challenging. You can
independently verify some of the configuration outside of Presto to help narrow
your focus when trying to solve a problem.

Kerberos Verification

Ensure that you can connect to the KDC from the Presto coordinator using
telnet.

$ telnet kdc.example.com 88

Verify that the keytab file can be used to successfully obtain a ticket using
kinit and
klist

Java Keystore File Verification

Additional Kerberos Debugging Information

You can enable additional Kerberos debugging information for the Presto
coordinator process by adding the following lines to the Presto jvm.config
file

-Dsun.security.krb5.debug=true
-Dlog.enable-console=true

-Dsun.security.krb5.debug=true enables Kerberos debugging output from the
JRE Kerberos libraries. The debugging output goes to stdout, which Presto
redirects to the logging system. -Dlog.enable-console=true enables output
to stdout to appear in the logs.

The amount and usefulness of the information the Kerberos debugging output
sends to the logs varies depending on where the authentication is failing.
Exception messages and stack traces can also provide useful clues about the
nature of the problem.